Class Activity: User Education on SNS Phishing
Contextual Training Users are sent simulated phishing s by the experimenter to test user’s vulnerability regarding phishing attacks At the end of the study, user is notified about phishing attacks No immediate feed-back
Embedded Training Teaches user about phishing during regular usage of the application, such as
Reflection Principle Reflection is the process by which learners are made to stop and think about what they’re learning
Story-based Agent Environment Principle Agents are characters that help users regarding learning process
Conceptual-Procedural Principle Conceptual & Procedural knowledge influence one and another
Demo of Anti-Phishing Phil
Another Form of Phishing Attack Full Screen API Demo
Ad-Click Demo
User Should Reject Security Advice? User rejecting security advice is rational from an economic perspective 100% of certificate error warnings appear to be false positive Most security advices provide poor cost-benefit tradeoff to users and is rejected How can we blame users for not adhering to certificate warnings when vast majority of them are false positives?
Users are the Weakest Link in Security Why attack machines when users are so easy to target? Most large web-sites offer security tips to users Not so effective however Users are lazy
Why Do Users Disregard Security Warnings? Overwhelmed Benefits are moot or perceived as moot Strong password does nothing in presence of keylogger How often does user perceive a real attack?
Password Policies
Teaching Users to Identify Phishing Sites By Reading URL Phishers quickly evolve
Certificate Errors Type Type Type paypal control + enter Search Google for PayPal and click link Click bookmarked Click bookmarked Problems?
Discussion